Frequently Asked Questions

  • Yes, if your business relies on technology, stores customer data, or connects to the internet, a security audit is essential.

    Most cyber incidents happen because of basic, undetected gaps. A security audit gives you a clear, independent view of your risks and practical steps to reduce them.

  • They can, but it is not always the best approach.

    Most IT providers focus on keeping systems running smoothly, not independently assessing risk. Because they are responsible for managing your environment, it can be difficult for them to objectively identify gaps or shortcomings in their own work.

    An independent security audit provides:
    • An unbiased, external perspective
    • Identification of blind spots that may be overlooked internally
    • Greater credibility for compliance, insurance, and board reporting
    • Assurance that risks are being properly measured and managed

    Your IT provider still plays an important role in fixing any issues that are found, but the audit itself is often more effective when completed by a qualified, independent specialist.

  • Costs vary depending on your size, systems, and scope.
    For most NZ small to medium businesses, audits typically range from a few thousand dollars for a basic assessment through to more comprehensive programmes for larger or regulated organisations.

    The key point: a breach or downtime will almost always cost far more than the audit itself.

  • At a minimum, annually. However, you should also consider an audit:
    • After major system changes or upgrades
    • When onboarding new vendors or cloud platforms
    • If your business handles sensitive data, such as healthcare or finance

    Many organisations move to ongoing, structured programmes like SMB1001 rather than one off audits.

  • A security audit looks at your overall security posture, including policies, configurations, processes, and risks.
    A penetration test simulates a real world attack to find exploitable weaknesses.

    In simple terms:
    • Audit = Where are our risks?
    • Pen test = Can those risks actually be exploited?

    Both are valuable, but they serve different purposes.

  • Look for a provider that: • Explains findings in plain English, not technical jargon
    • Provides practical, prioritised recommendations, not just a report
    • Understands your industry and regulatory requirements
    • Offers a structured framework, not just a one off test
    • Has auditors with relevant, recognised qualifications such as CISSP, CISM, or SSCP etc.
    • Can support remediation and not just identify issues

    A good auditor acts as a long term partner, not just a report generator.

  • Yes, they can significantly reduce the risk.
    While no audit can guarantee complete protection, they:

    • Identify vulnerabilities before attackers do
    • Improve controls and processes
    • Reduce the likelihood and impact of incidents

    Most breaches exploit known, fixable issues, and audits help you address them proactively.

  • Itecurity audits are especially important for:

    • Healthcare and medical practices
    • Financial services
    • Legal firms
    • Education providers
    • Any organisation handling personal or sensitive data

    In many of these sectors, audits are either expected or required for compliance.em description

  • Absolutely.
    Cloud platforms like Microsoft 365 and Azure are secure, but only when configured correctly.
    Common risks include:

    • Misconfigured access controls
    • Data exposure
    • Weak identity security

    A cloud security audit ensures your environment is set up safely and aligned with best practice.

  • Regularly.

    Threats, technologies, and compliance requirements evolve constantly. Most recognised frameworks are updated every few years, but best practices shift much more frequently.

    That is why ongoing review, not just a one off audit, is critical.

  • Yes, arguably even more so.
    Startups often grow quickly and put security in place later, which creates risk.

    An early audit helps:

    • Establish strong foundations
    • Build trust with customers and investors
    • Avoid costly mistakes later

    It is far cheaper to build security in than fix it after a breach.

  • Security audits play a key role in helping your business meet data privacy obligations.

    They assess how personal and sensitive information is collected, stored, accessed, and protected across your systems. This helps ensure you are meeting requirements under laws such as the New Zealand Privacy Act and other relevant regulations.

    A security audit can:
    • Identify gaps in how data is protected
    • Ensure access controls are appropriate and limited to the right people
    • Highlight risks around data storage, sharing, and retention
    • Provide evidence of due diligence for regulators, clients, and partners
    • Support policies and processes that align with privacy obligations

    Importantly, audits do not just point out issues. They give you practical recommendations to improve compliance and reduce the risk of data breaches or privacy complaints.

    In simple terms, a security audit helps ensure you are not just collecting data, but protecting it responsibly.